-client name, server name, secret. Any following words on the same line are
-taken to be a list of acceptable IP addresses for that client. If
-there are only 3 words on the line, it is assumed that any IP address
-is OK; to disallow all IP addresses, use "-". If the secret starts
-with an `@', what follows is assumed to be the name of a file from
-which to read the secret. A "*" as the client or server name matches
-any name. When selecting a secret, \fIpppd\fR takes the best match, i.e.
-the match with the fewest wildcards.
+client name, server name, secret. Any following words on the same
+line are taken to be a list of acceptable IP addresses for that
+client. If there are only 3 words on the line, it is assumed that any
+IP address is OK; to disallow all IP addresses, use "-". A word
+starting with "!" indicates that the specified address is \fInot\fR
+acceptable. An address may be followed by "/" and a number \fIn\fR,
+to indicate a whole subnet, i.e. all addresses which have the same
+value in the most significant \fIn\fR bits.
+.LP
+If the
+secret starts with an `@', what follows is assumed to be the name of a
+file from which to read the secret. A "*" as the client or server
+name matches any name. When selecting a secret, \fIpppd\fR takes the
+best match, i.e. the match with the fewest wildcards.